Configure Atlassian Crowd Security for Release
Release has a role-based security system with two types of users:
- Internal users: Users that are managed by Release. For more information, see Internal users.
- External users: Users that are maintained in an LDAP repository such as Active Directory or Atlassian Crowd. For more information, see LDAP repository.
This topic describes how to configure Release to use an Atlassian Crowd to authenticate users and retrieve role (group) membership. In Release, Atlassian Crowd users and groups become principals that you can assign to roles. Global permissions are assigned at the role level. For more information, see Configure permissions
While role memberships and permissions assigned to roles are stored in the Release repository, Release treats the Atlassian Crowd as read-only. This means that Release will use information from the Atlassian Crowd, but it cannot make changes to that information.
Release cookies store security information that is provided by the Spring Security framework. Release does not store any additional information in cookies. Atlassian Crowd provided centralized authentication connectors for Spring Security is used for this integration.
Integration based on CrowdID is not supported.
Step 1 - Configure Atlassian Crowd to communicate with the Release Application
To configure Atlassian Crowd to receive authentication requests from Release:
- Add Release application to Atlassian Crowd.
- Add and configure the directories that are visible to Release.
- Add and map the groups which that will authenticate with Release.
For more information, see Adding an Application.
Step 2 - Configure Release to use an Atlassian Crowd
To configure Release to use an Atlassian Crowd, modify the xl-release-security.xml security configuration file. This following is an example xl-release-security.xml file:
Depending on your version of Release and the customizations it has, this sample may differ from your xl-release-security.xml file.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<import resource="xl-crowd-deploy-security.xml"/>
<bean id="crowdUserDetailsService" class="com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl">
<property name="crowdClient" ref="crowdClient"/>
<property name="authorityPrefix" value=""/>
</bean>
<bean id="crowdAuthenticationProvider" class="com.xebialabs.deployit.security.authentication.XLCrowdAuthenticationProvider">
<constructor-arg ref="crowdClient"/>
<constructor-arg ref="crowdHttpAuthenticator"/>
<constructor-arg ref="crowdUserDetailsService"/>
</bean>
<bean id="rememberMeAuthenticationProvider" class="com.xebialabs.deployit.security.authentication.RememberMeAuthenticationProvider"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="rememberMeAuthenticationProvider"/>
<security:authentication-provider ref="xlAuthenticationProvider"/>
<security:authentication-provider ref="crowdAuthenticationProvider"/>
</security:authentication-manager>
</beans>
Step 3 - Add the cache configuration file to your Release directory
Copy the following file into your XL_RELEASE_SERVER_HOME/conf directory:
| Copy From | Copy To |
|---|---|
CROWD/client/conf/crowd-ehcache.xml | XL_RELEASE_SERVER_HOME/conf/crowd-ehcache.xml |
This file can be adjusted to change the cache behavior.
Step 4 - Configure the Atlassian Crowd Spring Security connector properties
The Atlassian Crowd Spring Security connector must be configured with the details of the Atlassian Crowd server.
-
Copy the default
crowd.propertiesfile into yourXL_RELEASE_SERVER_HOME/confdirectory:Copy From Copy To CROWD/client/conf/crowd.propertiesXL_RELEASE_SERVER_HOME/conf/crowd.properties -
Edit
crowd.propertiesand populate the following fields appropriately:Key Value application.nameUse the same application name that you used when adding the application to Atlassian Crowd. application.passwordUse the same application password that you used when adding the application to Atlassian Crowd. crowd.server.urlURL to use when connecting with the integration libraries that are used to communicate with the Atlassian Crowd server i.e. http://localhost:8095/crowd/services/.session.validationintervalThis is the time interval between requests which validates whether the user is logged in or out of the Atlassian Crowd server. Set this value to 0, if you want authentication checks to occur on each request. Otherwise, set to the number of minutes you wish to wait between requests. Setting this value to 1 or higher will increase the performance of the Atlassian Crowd integration.
For more information, see crowd.properties.
Example team security setup
You can setup a Atlassian Crowd group called devs to be used by the members of a team in Release. Assign this group to a role in Release called Developers. At folder or release level, you can add permissions for a team called Dev Team that contains the Release role Developers. This role contains the created Atlassian Crowd group called devs.
When you log in as a user into the devs group using Atlassian Crowd, you will have the permissions for the Developers role at folder or release level.
For more information about this integration, see Integrating Crowd with Spring Security. Required artifacts are used from the Atlassian public Maven repository.